Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu.

Similar presentations


Presentation on theme: "SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu."— Presentation transcript:

1 SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu

2 Middleboxes management is hard! 2 Critical for security, performance, compliance But expensive, complex and difficult to manage Survey across 57 network operators (J. Sherry et al. SIGCOMM 2012) e.g., a network with ~2000 middleboxes required 500+ operators

3 Can SDN simplify middlebox management? Centralized Controller “ Flow ” FwdAction …… “ Flow ” FwdAction …… OpenFlow 3 Proxy IDS Necessity + Opportunity: Incorporate functions markets views as important Scope: Enforce middlebox-specific steering policies Firewall IDS Proxy Web

4 What makes this problem challenging? Centralized Controller “ Flow ” FwdAction …… “ Flow ” FwdAction …… OpenFlow 4 Proxy IDS Middleboxes introduce new dimensions beyond L2/L3 tasks. Achieve this with unmodified middleboxes and existing SDN APIs Firewall IDS Proxy Web

5 Firewall IDS Proxy Web Our Work: SIMPLE Legacy Middleboxes OpenFlow capable FlowAction …… FlowAction …… 5 Policy enforcement layer for middlebox-specific “traffic steering”

6 Outline Motivation Challenges SIMPLE Design Evaluation Conclusions 66

7 Challenge: Policy Composition S1 S2 7 Firewall Proxy IDS FirewallIDSProxy * Policy Chain: Oops! Forward Pkt to IDS or Dst? Dst “Loops” Traditional flow rules may not suffice!

8 Challenge: Resource Constraints S1 S2 S4 S3 Proxy Firewall IDS1 = 50% IDS2 = 50% Space for traffic split? Can we set up “feasible” forwarding rules? 8

9 9 S1 Proxy S2 User 1 User 2 Proxy may modify flows Are forwarding rules at S2 correct? Challenge: Dynamic Modifications Firewall User1: Proxy  Firewall User2: Proxy

10 New dimensions beyond Layer 2-3 tasks 1) Policy Composition  Potential loops 3) Dynamic Modifications  Correctness? 2) Resource Constraints  Switch + Middlebox 10 Can we address these with unmodified middleboxes and existing SDN APIs?

11 Outline Motivation + Context for the Work Challenges SIMPLE Design Evaluation Conclusion 11

12 Rule Generator Resource Manager Modifications Handler SIMPLE System Overview Legacy Middleboxes OpenFlow capable FlowAction …… FlowAction …… 12 Firewall IDS Proxy Web

13 Composition  Tag Processing State 13 FirewallIDSProxy * Policy Chain: S1 S2 Firewall Proxy IDS Dst ORIGINAL Post-Firewall Post-IDS Post-Proxy Fwd to Dst Insight: Distinguish different instances of the same packet

14 Rule Generator Resource Manager Modifications Handler SIMPLE System Overview Legacy Middleboxes OpenFlow capable FlowAction …… FlowAction …… 14 Firewall IDS Proxy Web

15 Resource Constraints  Joint Optimization Resource Manager Topology & Traffic Switch TCAM Middlebox Capacity + Footprints Policy Spec Optimal & Feasible load balancing Theoretically hard! Not obvious if some configuration is feasible! 15

16 Offline + Online Decomposition 16 Offline StageOnline Step Deals with Switch constraints Deals with only load balancing Resource Manager Network Topology Switch TCAM Policy Spec Traffic Matrix Mbox Capacity + Footprints

17 Offline Stage: ILP based pruning 17 Set of all possible middlebox load distributions Pruned Set Balance the middlebox load Feasible Sufficient freedom

18 FW IDS Proxy Web Rule Generator Resource Manager Modifications Handler SIMPLE System Overview Legacy Middleboxes OpenFlow capable FlowAction …… FlowAction …… 18

19 Modifications  Infer flow correlations 19 Correlate flows Install rules S1 Proxy S2 User 1 User 2 Firewall User1: Proxy  Firewall User2: Proxy Payload Similarity

20 FW IDS Proxy Web Rule Generator (Policy Composition) Resource Manager (Resource Constraint) Modifications Handler (Dynamic modifications) SIMPLE Implementation OpenFlow 1.0 FlowTag/Tun nel Action …… FlowTag/Tun nel Action …… POX extensions 20 CPLEX

21 Outline Motivation + Context for the Work Challenges SIMPLE Design Evaluation Conclusion 21

22 Evaluation and Methodology What benefits SIMPLE offers? load balancing? How scalable is the SIMPLE optimizer? How close is the SIMPLE optimizer to the optimal? How accurate is the dynamic inference? Methodology – Small-scale real test bed experiments (Emulab) – Evaluation over Mininet (with up to 60 nodes) – Large-scale trace driven simulations (for convergence times) 22

23 Benefits: Load balancing 4-7X better load balancing and near optimal 23 Optimal

24 Overhead: Reconfiguration Time Around 125 ms to reconfigure, most time spent in pushing rules 24 33 node topology including 11 switches

25 Other Key Results LP solving takes 1s for a 252 node topology – 4-5 orders of magnitude faster than strawman 95 % accuracy in inferring flow correlations Scalability of pruning: 1800s  110s 25

26 Conclusions Middleboxes: Necessity and opportunity for SDN Goal: Simplify middlebox-specific policy enforcement Challenges: Composition, resource constraints, modifications SIMPLE: policy enforcement layer – Does not modify middleboxes – No changes to SDN APIs – No visibility required into the internal of middleboxes Scalable and offers 4-7X improvement in load balancing 26

27 27

28 Decompose Optimization: Slow Offline + Fast Online Steps Policy Spec Network Topology Enumerate Physical Sequences Prune for Feasible Configs Rule Model Offline Pruning Traffic Matrix LP with PrunedSet Mbox Capacity Online Load Balancing PrunedSet 28

29 Enumerating Physical Sequences 29 S1 S6 S2 S5 FW1 FW2 10.1/16, HTTP  * Firewall IDS Physical Sequence FW1-IDS1-Proxy1S1 S2 FW1 S2 S4 S5 IDS1 S5 S4 S2 Proxy1 S2 S4 S5 S6 FW2-IDS1-Proxy1S1 S3 FW2 S3 S5 IDS1 S5 S4 S2 Proxy1 S2 S4 S5 S6 S3 Proxy Policy Chains Proxy1 IDS1 S4 29


Download ppt "SIMPLE-fying Middlebox Policy Enforcement Using SDN Zafar Ayyub Qazi Cheng-Chun Tu Luis Chiang Vyas Sekar Rui Miao Minlan Yu."

Similar presentations


Ads by Google